Commit da65d1dd authored by Antoine Eiche's avatar Antoine Eiche
Browse files

nixos/osquery: init

parent a0393ca3

nixos/doc/manual/release-notes/rl-2311.section.md

+2 −0
Original line number Diff line number Diff line
@@ -26,6 +26,8 @@ 


- [trust-dns](https://trust-dns.org/), a Rust based DNS server built to be safe and secure from the ground up. Available as [services.trust-dns](#opt-services.trust-dns.enable).



- [osquery](https://www.osquery.io/), a SQL powered operating system instrumentation, monitoring, and analytics.



## Backward Incompatibilities {#sec-release-23.11-incompatibilities}



- The `boot.loader.raspberryPi` options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs ([before mid-2019](https://github.com/NixOS/nixpkgs/pull/62462)) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices.

nixos/modules/module-list.nix

+1 −0
Original line number Diff line number Diff line
@@ -761,6 +761,7 @@ 
  ./services/monitoring/nagios.nix

  ./services/monitoring/netdata.nix

  ./services/monitoring/opentelemetry-collector.nix

  ./services/monitoring/osquery.nix

  ./services/monitoring/parsedmarc.nix

  ./services/monitoring/prometheus/alertmanager-irc-relay.nix

  ./services/monitoring/prometheus/alertmanager.nix

nixos/modules/rename.nix

+0 −1
Original line number Diff line number Diff line
@@ -72,7 +72,6 @@ in 
    (mkRemovedOptionModule [ "services" "mesos" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "moinmoin" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "mwlib" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed")

    (mkRemovedOptionModule [ "services" "pantheon" "files" ] ''

      This module was removed, please add pkgs.pantheon.elementary-files to environment.systemPackages directly.

    '')

nixos/modules/services/monitoring/osquery.nix

0 → 100644
+97 −0
Original line number Diff line number Diff line 
{ config, lib, pkgs, ... }:



with lib;

let

  cfg = config.services.osquery;

  dirname = path: with lib.strings; with lib.lists; concatStringsSep "/"

    (init (splitString "/" (normalizePath path)));



  # conf is the osquery configuration file used when the --config_plugin=filesystem.

  # filesystem is the osquery default value for the config_plugin flag.

  conf = pkgs.writeText "osquery.conf" (builtins.toJSON cfg.settings);



  # flagfile is the file containing osquery command line flags to be

  # provided to the application using the special --flagfile option.

  flagfile = pkgs.writeText "osquery.flags"

    (concatStringsSep "\n"

      (mapAttrsToList (name: value: "--${name}=${value}")

        # Use the conf derivation if not otherwise specified.

        ({ config_path = conf; } // cfg.flags)));



  osqueryi = pkgs.runCommand "osqueryi" { nativeBuildInputs = [ pkgs.makeWrapper ]; } ''

    mkdir -p $out/bin

    makeWrapper ${pkgs.osquery}/bin/osqueryi $out/bin/osqueryi \

      --add-flags "--flagfile ${flagfile}"

  '';

in

{

  options.services.osquery = {

    enable = mkEnableOption (mdDoc "osqueryd daemon");



    settings = mkOption {

      default = { };

      description = mdDoc ''

        Configuration to be written to the osqueryd JSON configuration file.

        To understand the configuration format, refer to https://osquery.readthedocs.io/en/stable/deployment/configuration/#configuration-components.

      '';

      example = {

        options.utc = false;

      };

      type = types.attrs;

    };



    flags = mkOption {

      default = { };

      description = mdDoc ''

        Attribute set of flag names and values to be written to the osqueryd flagfile.

        For more information, refer to https://osquery.readthedocs.io/en/stable/installation/cli-flags.

      '';

      example = {

        config_refresh = "10";

      };

      type = with types;

        submodule {

          freeformType = attrsOf str;

          options = {

            database_path = mkOption {

              default = "/var/lib/osquery/osquery.db";

              readOnly = true;

              description = mdDoc "Path used for the database file.";

              type = path;

            };

            logger_path = mkOption {

              default = "/var/log/osquery";

              readOnly = true;

              description = mdDoc "Base directory used for logging.";

              type = path;

            };

            pidfile = mkOption {

              default = "/run/osquery/osqueryd.pid";

              readOnly = true;

              description = mdDoc "Path used for pid file.";

              type = path;

            };

          };

        };

    };

  };



  config = mkIf cfg.enable {

    environment.systemPackages = [ osqueryi ];

    systemd.services.osqueryd = {

      after = [ "network.target" "syslog.service" ];

      description = "The osquery daemon";

      serviceConfig = {

        ExecStart = "${pkgs.osquery}/bin/osqueryd --flagfile ${flagfile}";

        PIDFile = cfg.flags.pidfile;

        LogsDirectory = cfg.flags.logger_path;

        StateDirectory = dirname cfg.flags.database_path;

        Restart = "always";

      };

      wantedBy = [ "multi-user.target" ];

    };

    systemd.tmpfiles.rules = [

      "d ${dirname (cfg.flags.pidfile)} 0755 root root -"

    ];

  };

}